Discover What’s New with Identity Management for Winter '26

Learning Objectives

After completing this unit, you’ll be able to:

• Implement headless user discovery to enable flexible login identifiers in authentication flows.
  
• Update SAML configurations to replace Triple DES with AES encryption for stronger security.
  
• Analyze LoginAnomalyEvent data to detect and respond to suspicious login attempts.
  
• Configure flow-based registration handlers to provision users during SSO without Apex.
  
• Adjust identity and session settings to strengthen authentication and improve usability.
  

Give Headless App Users More Ways to Log In

Salesforce now supports headless user discovery, which means users can log in with an identifier of their choice—like an email address, phone number, order number, or case number—along with their password, instead of a traditional username. This capability is powered by an Apex class that implements the Auth.HeadlessUserDiscoveryHandler interface. By providing flexible login options, developers can create seamless and user-friendly authentication experiences for headless applications, particularly in B2C, partner, or anonymous user scenarios.

For example, in a headless ecommerce application, a user can log in using their order number. Once authenticated, they can immediately view their order details without navigating through multiple screens, saving time and improving user satisfaction. Headless login also integrates with password reset flows, allowing users to reset credentials using the same identifier, with Salesforce sending a verification OTP to confirm their identity.

This feature applies to Lightning Experience and Salesforce Classic in Enterprise, Unlimited, and Developer editions. Developers implement headless user discovery by creating an Apex handler class that locates users based on the provided identifier, then configuring the handler within Experience Cloud settings. During login, the headless app sends the identifier in the login_hint parameter to the appropriate OAuth endpoint. Similarly, for password resets, the app sends the identifier to the services/auth/headless/forgot_password endpoint.

Architecturally, headless user discovery enables highly customized and flexible authentication flows, which are critical for Customer 360 solutions involving external or anonymous users. By supporting multiple identifiers for login, this feature enhances usability, reduces friction, and allows architects to design authentication experiences tailored to the needs of modern headless applications.

Triple DES Encryption Is No Longer Supported for SAML Single Sign-On

Salesforce has updated its SAML single sign-on (SSO) security to no longer support the Triple DES encryption algorithm for SAML responses. This change affects all configurations where Salesforce acts as either the identity provider (IdP) or the service provider (SP). While existing configurations using Triple DES remain functional, Salesforce strongly recommends migrating to more secure algorithms, such as AES 128 or AES 256, to prevent potential future service disruptions.

The reason for this update is that Triple DES uses a cryptographic key that is no longer considered secure. AES 128 and AES 256 use longer keys, which are significantly more resistant to attacks. For organizations using Salesforce as an identity provider, administrators should review the Block Encryption Algorithm setting in connected app configurations and update any Triple DES settings to AES. Similarly, if Salesforce is the service provider, coordinate with your identity provider to ensure SAML responses are encrypted with a supported algorithm and update the Assertion Decryption Certificate as needed.

This change applies to Lightning Experience and Salesforce Classic across all editions. It’s a mandatory security enhancement for all SAML integrations. It ensures compliance with data governance and security best practices, safeguarding sensitive user authentication data. By upgrading to AES encryption, architects can maintain secure SSO configurations, avoid disruptions, and align with current encryption standards.

Investigate Suspicious Login Activity with the Login Anomaly Event

The LoginAnomalyEvent enables administrators and security teams to receive notifications about potentially suspicious login attempts. Examples include logins from unusual locations, atypical times, or uncommon devices. All data from these events is stored in the LoginAnomalyEventStore, making it easy to review and analyze security-related activity.

By using the LoginAnomalyEvent, architects and administrators can enhance auditing and monitoring capabilities for login activities. This allows teams to detect potential threats proactively, respond quickly to security incidents, and build advanced security monitoring solutions. Integrating these events into your monitoring processes provides greater visibility into user access patterns, helps diagnose potential identity provider issues, and strengthens overall access management practices.

This update applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions. It only applies to customers who purchased Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

Build Single Sign-On Registration Handlers Without Code

Administrators and declarative developers can now set up single sign-on (SSO) registration handlers entirely with clicks using Flow Builder, eliminating the need for Apex code in many use cases. When you configure an authentication provider for SSO into Salesforce or an Experience Cloud site, you can use the new authentication provider user registration flow template to quickly create a registration handler flow. The template demonstrates how to create or update users who log in via a third-party identity provider and includes two invocable actions to simplify user provisioning.

• Get User Data from JSON String: Retrieve specific attributes from complex, nested JSON structures, making it easy to parse ID tokens or user info responses sent by the identity provider.
  
• Generate User Data: Fill in placeholder values for any required fields not provided by the identity provider, ensuring complete user records in Salesforce.
  

With flow-based registration handlers, you can also manage user access declaratively by adding or removing permission sets at runtime in a single assignment, avoiding mixed DML errors that can occur in Apex. While Apex registration handlers remain ideal for high-scale or high-performance scenarios, flow registration handlers simplify SSO implementations for most orgs and reduce reliance on specialized developer resources.

To implement SSO, create a flow in Flow Builder that:

• Retrieves user information from the identity provider.
  
• Searches for a matching user in Salesforce.
  
• Creates or updates the user as needed.
  

As a last step, assign the flow as the registration handler on the Authentication Providers page in Setup and test the end-to-end SSO process with both new and existing users.

This feature applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Explore Enhanced Identity and Access Management Features

Administrators and architects have more control, flexibility, and usability for authentication, session management, and security with expanded identity and access management capabilities. One key enhancement is the improved management of JWT-based access token timeouts.

You can now set longer timeout values for JWT tokens—up to 12 hours—and define these timeouts at the app level, profile level, or organization-wide. When both profile and organization-wide session settings are defined, Salesforce applies the profile setting, giving you precise control over session durations for both named and guest users. This enhancement enables a better balance between usability and security for integrations that rely on JWT-based authentication.

Beyond session management, there are several usability and security improvements across identity and access features.

• Environment switcher favorites: Users can mark their most-used environments as favorites for faster access, reducing navigation time and improving productivity.
  
• External client app framework enhancements: Administrators can configure mobile-specific features, such as screen lock timeouts, and enable push notifications for Android and iOS devices.
  
• Staging and rotating external client app credentials: Keep external apps secure by staging, rotating, or deleting client credentials using API endpoints.
  
• Improved account setup flows: New users who encounter delayed password and security question setup can reinitiate the process within 7 days of receiving their welcome email, reducing support friction.
  
• OAuth and SAML improvements: Clearer error messages are provided for invalid scopes in client credentials flows and expired SAML InResponseTo attributes. Architects must ensure that they migrate from the single-configuration SAML framework to the multiple-configuration SAML framework, improving SSO scalability.
  
• Identity verification updates: New orgs display all available verification methods by default, making it easier for users to choose their preferred authentication method. Password reset usability is also improved with the new “Use Your Email Address” option. Security questions now require answers of at least five characters.
  
• Username validation: Usernames cannot include zero-width space characters, reducing confusion caused by invisible characters.
  

Together, these enhancements empower architects and administrators to design secure, efficient, and user-friendly authentication and access experiences, while simplifying management and compliance across Salesforce and connected applications.

This functionality applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Summary

The latest identity management updates provide architects, administrators, and developers with powerful tools to enhance authentication, security, and usability across the platform. From headless user discovery and stronger SAML encryption to flow-based registration handlers and improved session management, these enhancements simplify user access while maintaining robust security standards. Features like LoginAnomalyEvent monitoring, JWT timeout controls, and external client app credential management give teams greater visibility and control over authentication processes. Together, these improvements enable organizations to create seamless, secure, and flexible identity experiences for internal, external, and anonymous users, supporting compliance, efficiency, and a high-quality user experience.

Resources

• Salesforce Help: Give Headless App Users More Ways to Log In
• Salesforce Help: Headless Login Without a Username
• Salesforce Help: Headless Identity for Customers and Partners
• Salesforce Help: Triple DES Encryption Is No Longer Supported for SAML Single Sign-On
• Salesforce Help: Explore Information About Suspicious Login Activity with the Login Anomaly Event
• Salesforce Help: Build Single Sign-On Registration Handlers Without Code
• Salesforce Help: Example: Authentication Provider Registration Handle Flow
• Salesforce Help: Improve JWT-Based Access Token Timeout Management